/ IN THE SPECIFICATION 

Please m^e the indicated changes in the following paragraph, beginning at p. 5, line 21 
of the Specification and ending at p. 7. line 10 of the specification: 

The IPSec protocol suite implements security at the network layer of the multi-layered 
OSI (Open Systems Interconnection) network reference model. The suite includes a number of 
separate protocols that are used in conjunction with one another to ensure the security of UDP 
datagrams that carry information across the internet. The base architecture of IPSec compliant 
systems is explained in RFC 2401, "Security Architecture for the Internet Protocol," S. Kent and 
R. Atkinson (November 1998). The AH (Authentication Header) protocol assures data integrity, 
source authentication, and incorporates "anti-repeat" measures to deter denial-of-service attacks. 
ESP (Encapsulation Security Payload) protocol provides protections similar to AH, but adds the 
additional feature of payload encryption. Both AH and ESP headers have a field for a Security 
Parameters Index (SPI). The SPI is a 32-bit pseudo-random value that is used to identify a 
Security Association (SA) for the datagram. Further information regarding these protocols may 
be found in RFC 1826, "IP Authentication Header," by R.Atkinson (August 1995), and RFC 
2406, "IP Encapsulating Security Payload (ESP)," S. Kent and R. Atkinson (November 1998). 
ISAKMP/Oakley (Internet Security Association and Key Management Protocol, also commonly 
referred to as Internet Key Exchange - IKE) is a handshaking protocol that establishes the 
parameters for a secure session between two hosts and provides for the exchange of keying and 
other security information that is used to implement the secure session and permit the 
transmission of encrypted data. The ISAKMP/Oakley protocol (hereafter referred to simply as 
ISAKMP) involves the initial exchanges of unencrypted messages to provide both machines with 
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initialization data from which authentication may be established and secure keys for data 
encryption may be generated. An explanation of these processes may be found in RFC 2409, 
"The Internet Key Exchange," D. Harkins and D. Carrel (November, 1998). Once security 
parameters sufficient to establish Security Associations (SAs) between hosts have been 
exchanged, all subsequent transmissions will be encrypted and fully authenticated in accordance 
with the agreed-upon protocols. At that point the ISAKMP protocol terminates. Subsequent 
addressing is based upon the IP address for each machine and the machine's SPI for that session. 
The SPI is unique for each machine during a session. The gateway for a private LAN will 
maintain an internal table in which "SPI-In" [[in]] is a value that is cross referenced to the local 
machine's IP address, and "SPI-Out" is cross referenced to the IP address of the machine on the 
internet that is communicating with the local machine. The SPI for each machine is computed 
from information exchanged during the ISAKMP transmissions, and is carried in the AH or ESP 
header that is appended to UDP packets. Because IPSec protocols may be nested to provide 
security in a variety of environments, a single datagram may include both an AH and an ESP 
header, and may encrypt some header information. 
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